A friend of mine brought something to my attention this week. He said he heard there’s a guy out there claiming there are unhackable companies.

Me: Unhackable?

Friend: Yep, unhackable.

Me: What?! No way man. This can’t be true.

Friend: Oh yeah, it’s true. Want me to send you a link?

Me: Absolutely. I’ve got to see this.

He sent me a link to a National Public Radio (NPR) show transcript. The show, All Things Considered, is hosted by Ari Shapiro, a well-respected journalist. Appearing on this show was Richard Clarke, promoting his new book, “The Fifth Domain”. For those of you who don’t know who Richard Clarke is, he was the National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States from 1998 to 2003, an impressive position. He also led a lengthy career with the U.S. government. Like most people in the government and most politicians, he’s well-respected by some and hated by others. Since leaving the public sector, he’s written a bunch of books and he’s been fairly active in speaking about information security (or as he calls it “cybersecurity”). You can read his Wikipedia page if you want to know more about him.

So, I dug into the transcript looking for the place where this wild unhackable company claim was. At this point, I’m still thinking my friend must be mistaken.

SHAPIRO: One line in the book stood out to me from somebody who was talking about election security but could just as easily have been talking about other aspects of cybersecurity. And the line is, our house was robbed, so let’s at least lock the door. The problem is there are so many doors in the United States – 50 states, thousands of counties, who knows how many private businesses. Each one of them is a target. So is it naive to think that anyone could prevent the house from being robbed again?

CLARKE: There are major American corporations that have achieved security – cybersecurity. They don’t like to attract attention to themselves. They don’t like me using their names, so I won’t. But there are big American companies that have done it. Ten years ago, when we wrote the book “Cyber War,” we said no company is safe. If the Russians or the Chinese want to get into your network, they can. Now we’re saying that’s no longer true.

Wait. What the hell does “achieved security – cybersecurity” mean?! Is he saying there are mysterious unhackable “big American companies”? If they’re unhackable, why can’t we know their names and why can’t we share the secret sauce that makes them unhackable with the rest of the industry?!

I can tell you why we don’t know the names of these unhackable companies, and it’s not because Mr. Clarke won’t share them or because they don’t like him using their names, it’s because they don’t exist!

How about the secret sauce, surely this can be shared. Ari Shapiro, being the very good journalist that he is, asks.

SHAPIRO: What do the companies that have not been successfully hacked have in common? What are they doing right?

CLARKE: The companies that are resilient spend more money on it and have a better governance model so that the guy in charge or the gal in charge reports to a much higher-level official. They’re not buried in the bureaucracy of the company. And in terms of just a raw metric, the good companies – the companies that are successful at this – are spending 8% to 10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year.

Am I reading this right? The secret sauce is “more money” and a “better governance model”? Can’t be. There’s got to be more than that. Well, he goes on to say there are banks in New York who employ thousands of people spending millions of dollars. Banks in New York. Could this be a hint about one of these mystery companies. He also referred to people. There’s a problem now, once you bring people into the equation. Something that’s unhackable requires perfection, doesn’t it? If there’s a flaw anywhere, there’s a potential vulnerability. These people must be infallible. Do you think these are infallible people? They don’t make mistakes? What kind of people must these be?

Want an unhackable company? Find perfect, infallible people. That’s got to be part of the secret sauce!

Back to the money thing. How much money is “more money”? Surely if we throw more money at the problem, it’ll get solved. After all, we’re throwing billions of dollars at the problem every year. Mr. Clarke claims that the successful companies are spending 8% –  10% of thier IT budget on security. On average a large company (more than $2 billion in revenue) spends 3.2% of revenue on IT, but banks spend more like 7%. So, let’s take a $2 billion (revenue) bank. If they spend between $11,200,000 and $14,000,000 ($2 billion x 7% x 8 or 10%) on security, this will make them unhackable? How about J.P. Morgan? This is the biggest bank in New York. They had revenues of $109 billion in 2018. If they spend (or spent) between $610 million and $763 million on information security, did this, or could this, make them unhackable?

Hmm. Maybe, but we still got that people thing. He also mentions another requirement. The guy or gal running this unhackable security program needs to report to the top, like the CEO or even the board.

So far, we can glean that we’ll need the following for an unhackable company:

  • More money – somewhere between 8-10% of 3.2-7% of revenue, maybe even more.
  • Better governance model – report to the CEO or board.
  • Infallible people – perfect people

SHAPIRO: You’ve said the government has acknowledged that it is hackable and that companies have figured out how to get the upper hand and prevent themselves from being hacked. Why can’t the government learn the lessons that these companies have learned?

CLARKE: Well, I think part of the problem is the federal government, which has maybe 40 or 50 major departments and agencies, insists that they all defend themselves. I don’t think that should be the job of every federal agency. What we propose in the book is that the government create one single cybersecurity office for all the little agencies and departments that can’t do it. This is what’s done in the private sector. A lot of companies don’t do it themselves.

SHAPIRO: They outsource it. They hire a contractor.

CLARKE: They outsource it, and you pay them by the month. And you get the – you get them handling all of your security. That’s the way the federal government should do it.

Ooh, another hint. Outsource all your security. Lord knows, a third-party will most definitely treat your stuff as well or better than you will.

DONE! Want an unhackable company, do this:

  • Spend more.
  • Govern better.
  • Be perfect.
  • Outsource stuff.

Let’s Be Real Now

You sensed the sarcasm, right? Here’s the truth:

YOU CANNOT BE UNHACKABLE, EVER.

Anytime you hear someone claim that something or someone can’t be hacked, give it a long sideways look. Such a person who says such things almost instantly loses credibility with all of us who know better. To give Mr. Clarke the benefit of the doubt, he didn’t explicitly say that there are unhackable companies. He just sort of implied it. It’s also possible that I misunderstood what he was saying, but I read the transcript multiple times and came to the same conclusion. Could be he’s just trying to sell books too. Who knows for sure?

The goal isn’t to be unhackable. The goal isn’t to eliminate risk. The goal is to manage it. Eliminating risk would require perfection, and perfection isn’t possible. If anyone tells you different, he/she is a fool. Don’t take advice from a fool.